One of the things we discovered while we were rolling out our deployment is that it is very important to monitor the availability of signed zones (see also this post by Migiel de Vos on monitoring). We have deployed default monitoring based on Nagios, with checks that verify if all signer components are running. One of the things we cannot check that way is whether signatures are valid for long enough. And that is a very important indicator of the status of the signer. Even if the signer daemon is running, that does not guarantee that it is actually resigning the zone correctly.

We therefore decided that we should also monitor the validity of signatures online. To achieve this, we created a small tool that plugs in to Nagios and that can check the validity time of the signatures for either a single resource record or for a whole zone using an AXFR-style transfer.

You can download this tool using the link below; the source distribution includes a README with instructions on building and using the tool. The tool is released under a BSD-style license (included).

There’s a little bug in version 0.1 i think. It reveals itself while testing for RRSIG’s that expired way in the past. They are flagged as OK. Reason it the type of the validFor variable. I changed it from ‘int’ to ‘int32_t’ and then things where fine.